Cyber-Surveillance Operation Resumed by Iran After a Long Break


Iran, one of the resourceful countries in Western Asia in terms of weapons and cyber intelligence has resumed its cyberespionage operation after a two-year downtime. Cybersecurity firms SafeBreach and Check Point directed joint research to discover an Iran-linked cyberespionage operation which has resumed with the latest second-stage malware and with an updated version of the Infy malware.

Espionage, destructive attacks, and social media manipulation- three major weapons of Iranian cyber capabilities, and the evidence suggest that Iran started the cyberespionage operation way back in 2007. For the first time, in 2016 the details regarding this operation were disclosed, Foudre a type of malware was used in these operations, and by 2018 it was updated eight times.

In the fast half of 2020, the operation was resumed with the latest versions of Foudre (versions20-22) and with new documents that were designed to tempt the victims and to execute the malicious code when closed. Following the execution of malicious code Foudre links to the command and control (C&C) server and fetches a new part of the malware, called Tonnerre.

According to the cybersecurity experts, Tonnerre is designed to expand the capabilities of Foudre but it is released as a different component. Foudre may only be deployed when the situation is out of control and it poses as legitimate software that can steal files from corrupt machines, can execute commands received from the C&C server, record sound and capture the screenshots.

Domain Generating Algorithms (DGA) are used by Tonnerre to link to the C&C which then stores data about the target, steal files, download updates and get an additional C&C. Both HTTP and FTP are used by Tonnerre to communicate with the C&C server. During the investigation, SafeBreach and Check Point spotted two dozen victims, most located in Sweden (6), the Netherlands (4), Turkey (3), and the United States (3). While, Romania, India, Russia, Iraq, the United Kingdom, Germany, Canada, and Azerbaijan had one victim each.

Last week, Check Point reported that the Iranian government has targeted more than 1,200 citizens in extensive cyber-surveillance operations. A blog post containing details on both Foudre and Tonnerre read, “it seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities”.